Shortly after the September 11, 2001 terrorist attacks, the US government passed the PATRIOT act and told us it was needed to keep us safer from terrorism. PATRIOT stands for “Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism”. After the attacks was a very vulnerable time for our population, and Bush was able to use our fear against us to pass the bill. I find it depressingly ironic that the bill was named “Patriot Act” yet was mainly composed of laws restricting our freedom, rather than advancing or even preserving the state of national security like it’s name implies. Provisions changed the law surrounding computer crimes and hacking.
Computer Fraud & Abuse Act (CFAA)
The CFAA is the basic federal hacking law. They make it illegal to exceed the authority in a protected computer system, and cause $5,000 in damages.
What does it mean to Exceed Authority on a Computer?
If you have no permission to access the computer in any way at all, you are exceeding your authority by logging in. If you log in using a brute-force password cracking attack or social engineering attack (and succeed either way), you can be charged with a violation of CFAA. This is exceeding your authority because you have no authorization to be there in the first place.
If you have certain permission to access the computer and you elevate your privileges to root/admin, you are exceeding also your authority. If you log into a system with an authorized username and password, but then use a local exploit to gain root access, this is also exceeding your authority.
It is possible to be charged with two counts of CFAA. If the prosecutor can prove you gained user access and then exploited the system again in order to elevate to root, you have exceeded your authority twice and can be charged twice. (So I guess that means you’re better off sticking to remote root exploits to begin with, since it is essentially killing two birds with one stone.)
What is a Protected computer?
Not all computers are protected by the CFAA. The term protected computer
is used to distinguish a computer which is protected by the CFAA. The requirement for this is that they must be used in interstate commerce. This means any computer connected to the internet. So if you are accessing your target across the internet, you are in CFAA jurisdiction and can be charged accordingly.
Patriot Act Revisions
Hackers can now be convicted as terrorists.
In order to qualify as a terrorist activity, you must meet three conditions:
* Retaliative activity is a loosely defined term which means you are trying to get back at someone for something [you claim] they did to you.
* Related to Classified information in some way. (ex. Gaining access to classified information.)
* Cause damage to governmental computer, or medical/physical injury.
If you are deemed to be a terrorist, the feds can seize your assets first and ask questions later. This is known as pre-conviction forfeiture (Think Guantanamo Bay). It is also important to note that terrorist acts can be punishable by life in prison or the death penalty.
$5,000 In Damages Trivialized
One of the most important aspects of the CFAA is the damages inflicted upon the victim. This used to mean that they had to show evidence that you directly caused $5,000 worth of damage. Say Google is suing you for DDoSing their gmail (email) system, and you manage to completely shut them down for 1 hour. Google can bring earnings statements to the court and make a calculation: If google makes $24,000/day on their gmail system, your actions caused them to lose $1,000 ($24,000 / 24 days = $1000/day). They would not be able to charge you because they failed to meet the minimum threshold. This is no longer the case. If Google takes any measures to investigate or repair their systems, those costs are now included too. So if Google deems it necessary to pay a hard drive forensics specialist, they can count any costs associated with him. The $5,000 limit has essentially vanished; it is doable by any corporation or large business, and is trivial to surpass.
Other Changes
- Wiretaps are now usable in computer crime investigations. If you are suspected of breaking into a computer, the feds can come after you with wiretaps.
- You no longer have to be successful at your attack. If you attempt to break into a computer, you are now punished as if you had succeeded. If you
- Previously the $5,000 had to be to one specific system. Now, there needs to be $5,000 in aggregate damages, so if you cause $2,500 worth of damage to one server and $2,500 to another, it counts as $5,000 in aggregate damages and is a violation of CFAA.
- If you help plan, perpetrate, or are a source of influence over someone engaging in CFAA, you can now be charged with CFAA (Aiding & Abetting).